cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
677
Views
0
Helpful
7
Replies

IDS stopped emailing me!

john.kingston
Level 1
Level 1

I've got 2 Devices (a 4210 and a 4220-E). Up until I put the latest update on them, they bot emailed me every even per the email perl script. now they don't. I've tried adding the "-on" switch to line 110, and I still can't get it to work. I can manually "blat" from a cmd prompt, and if I run the perl script from a command prompt, I get no compiler errors.

any suggestions would be helpful....

Thanks

John

7 Replies 7

shannong
Level 4
Level 4

Are you refering to VMS not emailing you rather than the IDS? You may want to share other useful info that may prove helpful.

More info would probably help here. Sorry!

I'm running 2 Cisco Systems Intrusion Detection Sensor, Version 4.1(3)S67. I am not using CSPM or VMS anymore. I moved to the new software the better part of a year ago. I am using the perl script from the following mesage to generate more relevant information in my emails, and I have been using for quite some time (almost a year now):

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.eea3f13/74#selected_message

Since the update to 4.1(3)S67, I've not been getting any emails. I've verified that the IDS devices are connected to the CiscoWorks server, and that the ACL on the router is being updated. I can watch the events populate the event veiwer screen, and I can run reports in CiscoWorks showing any activity I choose.

I found a message in this forum stating that the 4.1(3) update, you have to change line 110 in the perl script in the link above from this:

system("IdsAlarms -s\"$whereClause\" -f\"$tmpFile\"");

to this

system("IdsAlarms -on -s\"$whereClause\" -f\"$tmpFile\"");

I've tried that. I've also verified that "blat" works by sending myself something from the server, and I've verified that the perl script complies without error by running it without passing it any data (just typing "useremail.pl {$Query}" at the command prompt on the CiscoWorks server.

Here is the whole script in case other's haven't seen it:

#!/usr/bin/perl

use Time::Local;

#***********************************************************************

#

# FILE NAME : emailalert.pl

#

# DESCRIPTION : This file is a perl script that will be executed as an

# action when an IDS-MC Event Rule triggers, and will send an

# email to $EmailRcpt with additional alert parameters (similar to

# the functionality available with CSPM notifications)

#

# NOTE: this script only works with 4.x sensors. It will

# not work with 3.x sensors.

#

# NOTES : This script takes the ${Query} keyword from the

# triggered rule, extracts the set of alarms that caused

# the rule to trigger. It then reads the last alarm of

# this set, parses the individual alarm fields, and

# calls the legacy script with the same set of command

# line arguments as CSPM.

#

# The calling sequence of this script must be of the form:

#

# emailalert.pl "${Query}"

#

# Where:

#

# "${Query}" - this is the query keyword dynamically

# output by the rule when it triggers.

# It MUST be wrapped in double quotes

# when specifying it in the Arguments

# box on the Rule Actions panel.

#

#

#***********************************************************************

##

## The following are the only two variables that need changing. $TempIDSFile can be any

## filename (doesn't have to exist), just make sure the directory that you specify

## exists. Make sure to use 2 backslashes for each directory, the first backslash is

## so the Perl interpretor doesn't error on the pathname.

##

## $EmailRcpt is the person that is going to receive the email notifications. Also

## make sure you escape the @ symbol by putting a backslash in front of it, otherwise

## you'll get a Perl syntax error.

##

$TempIDSFile = "c:\\temp\\idsalert.txt";

$EmailRcpt = "gfullage\@cisco.com";

# subroutine to add leading 0's to any date variable that's less than 10.

sub add_zero {

my ($var) = @_;

if ($var < 10) {

$var = "0" .$var

}

return $var;

}

# subroutine to find one or more IP addresses within an XML tag (we can have multiple

# victims and/or attackers in one alert now).

sub find_addresses {

my ($var) = @_;

my @addresses = ();

if (m/$var/) {

$raw = $&;

while ($raw =~ m/(\d{1,3}\.){3}\d{1,3}/) {

push @addresses,$&;

$raw = $';

}

$var = join(', ',@addresses);

return $var;

}

}

# pull out command line arg

$whereClause = $ARGV[0];

# extract all the alarms matching search expression

$tmpFile = "alarms.out";

# Extract the XML alert/event out of the database.

system("IdsAlarms -s\"$whereClause\" -f\"$tmpFile\"");

# open matching alarm output

if (!open(ALARM_FILE, $tmpFile)) {

print "Could not open $tmpFile\n";

exit -1;

}

# read to last line

while () {

chomp $_;

push @logfile,$_;

}

# clean up

close(ALARM_FILE);

unlink($tmpFile);

# Open temp file to write alert data into,

open(OUT,">$TempIDSFile");

# split XML output into fields

$oneline = join('',@logfile);

$oneline =~ s/\<\/events\>//g;

$oneline =~ s/\<\/evAlert\>/\<\/evAlert\>,/g;

@items = split(/,/,$oneline);

# If you want to see the actual database query result in the email, un-comment out the

# line below (useful for troubleshooting):

# print(OUT "$oneline\n");

# Loop until there's no more alerts

foreach (@items) {

if (m/\(.*)\<\/hostId\>/) {

$hostid = $1;

}

if (m/severity="(.*?)"/) {

$sev = $1;

}

if (m/Zone\=".*"\>(.*)\<\/time\>/) {

$t = $1;

if ($t =~ m/(.*)(\d{9})/) {

($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($1);

# Year is reported from 1900 onwards (eg. 2003 is 103).

$year = $year + 1900;

# Months start at 0 (January = 0, February = 1, etc), so add 1.

$mon = $mon + 1;

$mon = add_zero ($mon);

$mday = add_zero ($mday);

$hour = add_zero ($hour);

$min = add_zero ($min);

$sec = add_zero ($sec);

}

}

if (m/sigName="(.*?)"/) {

$SigName = $1;

}

if (m/sigId="(.*?)"/) {

$SigID = $1;

}

if (m/subSigId="(.*?)"/) {

$SubSig = $1;

}

$attackerstring = "\

if ($attackerstring = find_addresses ($attackerstring)) {

}

$victimstring = "\

if ($victimstring = find_addresses ($victimstring)) {

}

@actions = ();

if (m/\(.*)\<\/actions\>/) {

$rawaction = $1;

while ($rawaction =~ m/\<(\w*?)\>(.*?)\

$rawaction = $';

if ($2 eq "true") {

push @actions,$1;

}

}

if (@actions) {

$actiontaken = join(', ',@actions);

}

else {

$actiontaken = "None";

}

}

## Now write your email notification message. You're writing the following into

## the temporary file for the moment, but this will then be emailed.

##

## Again, make sure you escape special characters with a backslash (note the : between

## the SigID and the SubSig).

print(OUT "\n$hostid reported a $sev severity alert at $mon/$mday/$year $hour:$min:$sec\n");

print(OUT "Signature $SigName \($SigID\:$SubSig\) from $attackerstring to $victimstring\n");

print(OUT "Actions taken: $actiontaken \n\n");

print(OUT "----------------------------------------------------\n");

}

close(OUT);

## Now call "blat" to send contents of the file in the body of an email message.

## Blat is a freeware email program for WinNT/95, it comes with VMS in the

## $BASE\CSCOpx\bin directory, make sure you install it first by running:

##

## blat -install

##

## For more help on blat, just type "blat" at the command prompt on your VMS system (make

## sure it's in your path (feel free to move the executable to c:\winnt\system32 BEFORE

## you run the install, that'll make sure your system can always find it).

system ("blat \"$TempIDSFile\" -t \"$EmailRcpt\" -s \"Received IDS alert\"");

What "new" software? VMS is the new software to be used by the IDS for management. This script is used by VMS Security Monitor to trigger emails.

Are you sure you're not talking about VMS?

I am talking about the VMS component of Ciscoworks. I've been on VMS and CiscoWorks 2000 for quite a long time now, about 14 months.

Sorry for the confusion, and if I need to give more information about something specific, I can.

I'm having similiar issues with v4 sensors. I get the null emails with no variables since we applied Service Pack Update S91. I tried adding the variable to the script too, but it broke email completely.

Can anyone help us out here?

Is the temporary file being created in the temp directory as defined in the first variable?

$TempIDSFile = "c:\\tmp\\idsalert.txt";

There should be a file written there containing the body of the email everytime the script is run.

You definitely don't want to use the -on option as that creates NR log format output. If specifying a format option, you would want to use -oi. However, that is the default and shouldn't need to be specified, although you may want to try it for fun.

The script is working for my VMS installation. The sensors are 4.1(3)S91.

Have you updated the signature version for SecMon using Admin\System Configuration\Update Network IDS Signatures?

The temp file is being created but it's empty:

reported a severity alert at // ::

Signature (:) from to

Actions taken:

----------------------------------------------------

Sensors and MC are at 4.1(4)S92.